Solved

After upgrade to 2008 (CertEnroll) Stand-alone CA, web browing certs work on XP, not 7

Posted on 2011-03-07
5
930 Views
Last Modified: 2012-05-11
I am managing a web application that uses digital certificates to identify end-users over the internet for access to the app.  We were using Server 2003 R2 x86, but got tired of installing certs manually for Windows 7.

Having a few extra licenses of Server available, I cloned the existing app server (which is the CA too), changed its product key, and upgraded that to 2008 x32 (R2 only x64 :( ).  After sorting out some minor problems (including having to publish a new CRL), I can get XP clients to work normally.  However, 7 clients using the same web enrollment get the root and client certificates but cannot access the site.  Error is "page requires client certificate (403.7)".

The root and client certificates are there, but the key usage on the client cert is only "Key Encipherment (20)".  On XP clients, the key usage is "Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment (f0)".

Any guidance would be appreciated!  Thanks, Tom.

0
Comment
Question by:tboncher
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 82

Expert Comment

by:David Johnson, CD, MVP
ID: 35057487
if you are using self signed certificate authority then that is the root of the problem as the cert's are now different.. you will have to revoke the older certs and push out new ones..
0
 

Author Comment

by:tboncher
ID: 35058996
Ugh.  We are talking about a few hundred over dozens of customers at sites across the country.  Do you know of documentatiuon of this issue?  Thanks!
0
 

Author Comment

by:tboncher
ID: 35059019
Sorry, I did not positively confirm - yes, we are usiing a self-signed CA.
0
 
LVL 82

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 35062687
you might try this:  

      Go to the certsrv directory - probably http://localhost/certsrv/
     Click "Request a Certificate"
      Click "advanced certificate request"  
     Click "Create and submit a request to this CA"
     Fill out the form, etc..
 
      From this point forward its the same as any other certificate.
0
 

Author Closing Comment

by:tboncher
ID: 35199317
I would agree that this method should work.  However, it is not very user friendly to my end-users who, on average, are not very technical.  Therefore, I am going to keep trying to find a way to get the normal way to work - such as having a second parallel web site that references a new certificate store - maybe on a second server instance, etc.  Thanks, Tom.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question